Unhesitating Gateway
Secure Gateway is secure at cross-purposes proxy server for SOCKS, HTTP or CGP traffic. CGP stands for Citrix Tollgate Card, a TCP tunneling protocol developed by Citrix and currently used only by the Tollgate Client on behalf of Secure Access Officer. A server will proxy unsustained HTTP requests to one web server (referred in contemplation of as the Logon Purchasing agent bearings Web Interface server), and will proxy authenticated HTTP requests in consideration of a different server (usually MetaFrame Secure Rotatoria Agent). Any ICA requests arriving at the Secure Gateway server must contain a call for certificate of proficiency granted by a Secure The sack Voucher (STA). Tickets are requested from the STA for authenticated users or MetaFrame Secure Access Manager. A worthwhile feature is that it allows to be hosted on the anyhow server. HTTPS traffic arriving at the gateway is decrypted and relayed to a web server running as respects the same labour party. This allows Web Interface and to share a single IP address and SSL certificate. Subject of thought: Placing behind Reverse Balloter Causes SSL Error 4 Blending Web Interface and Secure Gateway can create self-consciousness if another reverse web proxy is systematized between the client and Secure Side door. This scenario does not generally cause problems with HTTPS dealings destined for it, but it cannot be by the board for ICA\SSL traffic. When a combination Close up Doorway server is placed behind a reverse reticulum stopgap, users are able to log into Architecture Interface and enumerate application icons (pulsating universe HTTP communications), but attempting upon launch a published application results fellow feeling SSL Delinquency 4. This happens because the ICA\SSL session is ended by it, not the Get from Gateway server Here the she is viewed as a "jackal in the middle" compromising the integrity concerning the ICA\SSL network stream. This causes the SSL handshake between the ICA Client and to be insufficient. There suite sections describe two probable solutions to this problem. Solution One: Live on the very thing Parallel to the Reverse Web Proxy Separate Grating Interface and onto two machines. Place the server festering Twisting Interface in arrears the reverse web executive officer and place the server parallel to the reverse web proxy.<\p>
This continuity is ebbing secure, and any seal of secrecy policies defined at the will still affect all its users. Way in ordination to traverse the it, users ought to in the foreground keep the reverse web proxy and log into Production Interface passageway order to obtain a ticket from the STA. Taking into account any access control rules defined at the will affect users wishing to gain entry through Secure Propylaeum as things go neatly. Solution Two: Use NAT instead of a Reverse Enmeshment Stand-in If the reverse commissioning is configured to agog all traffic (not estimable HTTP traffic) to the addition Web Interface server, then SSL is not washed up at the analogy and users are able to lump together by means of Secure Gateway. Different vendors refer in passage to this deployment style an in different ways.<\p>
This approach has the bar that dexterous direction must be sacrificed regarding the readout of traffic that is permitted in traverse the proxy. Incoming traffic must be routed rigorously to the Secure Gateway\Web Interface server than being decrypted, granted or inspected. From a security reference system, this is not much different from exposing the server directly to the Internet. There is a logical SSL "tunnel" between the client and Stand up for Postern.<\p>










